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Abstract 

Recently, Dziembowski et al. introduced the notion of non-malleable 
codes (NMC), inspired from the notion of non-maUeabihty in cryptogra- 
phy and the work of Gennaro et al. in 2004 on tamper proof security. 
Informally, when using NMC, if an attacker modifies a codeword, decod- 
ing this modified codeword will return either the original message or a 
completely unrelated value. 

The definition of NMC is related to a family of modifications autho- 
rized to the attacker. In their paper, Dziembowski et al. propose a con- 
struction valid for the family of all bit-wise independent functions. 

In this article, we study the link between the second version of the 
Wire- Tap (WT) Channel, introduced by Ozarow and Wyner in 1984, and 
NMC. Using coset-coding, we describe a new construction for NMC w.r.t. 
a subset of the family of bit-wise independent functions. Our scheme is 
easier to build and more efficient than the one proposed by Dziembowski 
et al. 

1 Introduction 

In cryptography, the non-malleability property [T] requires that it is impossible, 
given a ciphertext, to produce another different ciphertext so that the corre- 
sponding plaintexts are related to each other. Non-malleability under adaptive 
chosen-ciphertext attack (NM-CCA2) is one of the strongest computational se- 
curity property that is required from an asymmetric encryption scheme (it is 
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equivalent to indistinguishability under adaptive chosen-ciphertext attack (IND- 
CCA2)). 

Recently, Dzienibowski et al. [2] proposed a transposition of the crypto- 
graphic definition of non-malleability to the field of coding theory. Informally, 
they define a NMC as a code such that, when a codeword is subject to modifi- 
cations, its decoding procedure either corrects these errors and decodes to the 
original message or returns a value that is completely unrelated to the original 
message. 

The property of non- malleability, as defined in [2], is subject to a choice of a 
family of modifications that we allow an adversary to make on the codewords. 
Dziembowski et al. also proved that it is impossible for a code to be non- 
malleable w.r.t. the set of all possible modifications of codewords. 

The motivation for NMC is tamperproofness. The authors of [5] were indeed 
much influenced by the work of Gennaro et al. [3j . Non-malleability can be useful 
in real-life applications. Some storage devices may be assumed to be "read- 
proof" because of a sufficient amount of physical or algorithmic protections to 
prevent anyone from learning the data stored on them. However, even if one 
cannot read the data, injecting faults in the data and observing the way it 
affects functions using these data can help to recover them. Injecting faults can 
be done for instance using lasers [Ij. There exists an important literature on 
how to use Differential Fault Analysis to break cryptosystems (e.g. [5J[5]). 

Dziembowski et al. studied deeply the non-malleability w.r.t. bit-wise in- 
dependent tampering functions, i.e. modifications that affect each bit of the 
codeword independently: flipping the bit or setting it to or 1. This is typi- 
cally what can be done using fault injections and, consequently, focusing on this 
family of tampering functions is worthwhile. 

In a construction for NMC w.r.t. all bit-wise independent functions is 
proposed. However, an implementable construction is left as an open problem. 
Our goal is to propose NMC that can be explicitly built. To this end, we exploit 
a relation that can be established between the model for NMC and the second 
version of the Wire- Tap channel [7]. This allows us to prove how coset-coding 
can be used to build a NMC. Furthermore, the decoding procedure of linear- 
coset coding consists uniquely of one matrix- vector product. Our construction 
is thus computationally efficient. Moreover, unlike their solution, our procedure 
always decodes messages whereas theirs is closer to error detection and often 
returns an error symbol. 

Organization of the Paper 

In Section [21 we explain and give the formal definitions for NMC as established 
in [5]. We describe the model of the WT channel in Scction[3]and explain the use 
of coset-coding. We show how the second version of the WT channel and NMC 
w.r.t. bit-wise independent functions are related and prove why coset-coding 
can be used as a NMC in Section IH We finally conclude in Section [SI 
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2 Non-Malleable Codes 



In this section, we intend to give an easy-to-understand description of NMC and 
their goals. All definitions come from T\. 

In the following, we consider a randomized encoding function Enc : {0, 1}''" 
{0, 1}", which is associated to a deterministic decoding function Dec : {0, 1}" 
{0,1}'= U {_L}, where _L means that the codeword cannot be decoded. Let F2 
denote the field with two elements. 

2.1 The Tampering Experiment 

Let us first introduce the situation considered in NMC. In this model, a source 
message m is encoded using Enc, in order to be later decoded using Dec. The 
codeword c = Enc(m) is stored on a device or sent over a channel before being 
decoded. During this phase, an attacker applies some tampering function / 
belonging to a given family of functions T C F^^^ . A tampered codeword c = 
/(c) is thus obtained. This erroneous codeword is then decoded to m = Dec(c). 
This process is described in Figure [1] 
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Figure 1: The Tampering Experiment 



Now focus on the behaviour of the attacker, called Eve in the following. 
Eve applies a function / e to the codeword c, but she does not read c. In 
the real world, this can be seen as injecting faults on a device that you cannot 
read (e.g. a smart-card) using, for instance, a laser. In this experiment, Eve 
can however read the resulting decoded message m and try to learn as much as 
possible about m from irh. Let us also specify that / is a deterministic function 
and, furthermore, that Eve knows which function she has chosen in J^. 

2.2 Defining Non-MalleabiHty 

Let us now give the formal definition of non-malleability. Let J-" be a family of 
tampering functions. For each / G J^, we define a random variable Tamper{ 
corresponding to the tampering experiment described in the previous section: 

c Enc(s), c = /(c), s = Dec(c) 1 
Output : s J 

The randomness is induced by the encoding function Enc. 
The N on- Malleability property is defined as follows: 

Definition 1 (Non-Malleability). Let (Enc, Dec) be a coding scheme, where 
Enc : {0, 1}'' ^ {0, 1}" is random and Dec : {0, 1}" H- {0, 1}'= U {_L} determin- 
istic. Let J- C F'2 be a family of tampering functions. 



Tamper' 
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We say that the coding scheme (Enc, Dec) is non-malleable w.r.t. if for 
each f G J-, there exists a distribution Df over {0, 1}'^ U {_L,same} such that, 
Vs G {0, 1}''', we have: 

. ( ~^^T^f 1 

Tamperf « ^ f . if .~ = same (1) 

I otherwise j 
where w denotes computational or statistical indistinguishability. 



2.3 Explaining the Definition 

First, notice that the definition is relative to a family J- of tampering functions, 
but the property of indistinguishability concerns each function / separately. 
Non-malleability w.r.t. a family is in fact non-malleability w.r.t. each function 
in this family. 

Now let us recall what we expect from a NMC. We want that, after the tam- 
pering experiment, either the codeword c is well-decoded to the original message 
s despite the tampering or the decoding procedure results in a value s that is 
unrelated to the original message. That is the idea behind the distribution Vf. 
either it returns the symbol same, meaning that the decoding furnishes the 
original value or it returns a value s S {0, 1}*^ U {-L}. As Vf depends only on / 
and not on the message s, in the latter case, the value returned in the second 
part of Equation (JT]) is unrelated to s. 



2.4 Basic Examples 

We summarize here two examples developed in [21 that correspond to usual 
families of codes encompassed by the definition of NMC. 



Error Correction 

Let us assume that is a family of tampering functions and C an error- 
correcting code such that errors introduced by the application of a function 
f € T on any codeword of C can be corrected. Then C is non-malleable w.r.t. 
J^. The distribution associated to every function f € J- is the constant distri- 
bution Vf = same, since erroneous codewords are always well-decoded. 



Error Detection 

The same idea can be applied to error-detecting codes. If there is a family 
T of tampering functions such that each f E J- introduces errors in every 
codeword that are detected by a code C, then C is non-malleable w.r.t. 
The distribution associated to every function / G is the constant distribution 
Vf = ±. 
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2.5 General (Im) Possibility Results 
Impossibility 

As proven in 2J, no code is non-malleable w.r.t. the set of all possible tampering 
functions {i.e. J- — Fj'^^). Indeed there is, for instance, in a function that 
decodes the codeword, "increments" the message (i.e. adds 1 to its representa- 
tion in F2) and re-encodes it. The result of the decoding of such a tampered 
codeword would always be s -f 1 and thus would be neither the original message 
s nor an unrelated value. 

Possibility 

In [2], the authors prove that for any bounded-sized family of tampering func- 
tions, there exists a NMC. Their result is summed up in the following theorem: 

Theorem 1 ( 2 ). Let J-" C ¥2^^ be a family of tampering functions such that 
n > log(log(|J^|)). Then there exists a non-malleable code w.r.t. J-'. 

2.6 Bit-wise Independent Tampering 

Bit-wise independent tampering is a special case of tampering where each bit of 
the codeword is tampered with independently. Formally a function / : {0, 1}" 1— >■ 
{0, 1}" is bit-wise independent if we can find n independent functions /i, . . . , /„ : 
{0, 1} ^ {0, 1} such that Vx e {0, 1}", f{x) = ifi{x), . . . , /„(x)). There are four 
possibilities for each fi which we denote by keep, flip, and 1 (keep and flip 
are explicit, (resp. 1) is the function that sets a bit to (resp. 1) regardless 
of what it was before). 

In [2], a construction for a NMC w.r.t. the family of all bit- wise independent 
functions is introduced. It uses Linear Error-Correcting Secret-Sharing (LECSS) 
schemes [5] and Algebraic Manipulation Detection (AMD) codes W. Both are 
quite new tools and even the authors of [2\ leave the explicit construction of 
LECSS codes as an "interesting open problem". Furthermore, their solution is 
quite close to error detecting codes as it decodes to _L after a tampering in most 
casefQ- 

In Section|31 we propose a new way to build NMC w.r.t. bit-wise independent 
functions. Our solution covers less tampering functions but uses more standard 
and efficient tools. Moreover, our scheme is neither error-correcting nor error- 
detecting (it never returns _L) and so, to our opinion, is closer to the original 
definition of non-malleability, which is more generic than error detection or 
correction. 



^In their proof of non- malleability, the authors of f2l distinguish different cases depending 
on the considered tampering function (more precisely its number g of and 1 sub-functions) 
and the secrecy t of the LECSS scheme. When t < q < n — t, the tampering experiment 
always returns ± and when q < t, the scheme is likely to often return ±. 
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3 The Wire- Tap Channel 



In the following, a [n, k, d] linear code denotes a subspace of dimension k of F2 
with minimal Hamming distance d. 

3.1 Linear Coset Coding 

Coset coding is a random encoding used for both models of WT Channel. This 
type of encoding uses a [n,k,d] linear code C with a parity-check matrix H . 
Let r = n — k. To encode a message m S F2, one chooses randomly an element 
among all a; S such that m = H^x. To decode a codeword x, one just applies 
the parity-check matrix H and obtains the syndrome of x for the code C, which 
is the message m. This procedure is summed up in Figure O 



Given: C a [n, n — r, d] linear code with a. r x n parity-check matrix H 
Encode: m e Fj M-i?, a: S F2 s.t. H^x = m 
Decode: a; G F2 m = H'^x 



Figure 2: Linear Coset-coding 



3.2 The Wire- Tap Channel I 

The Wire- Tap Channel was introduced by Wyner [10]. In this model, a sender 
Alice sends messages over a potentially noisy channel to a receiver Bob. An 
adversary Eve listens to an auxiliary channel, the WT channel, which is a nois- 
ier version of the main channel. It was shown that, with an appropriate coding 
scheme, the secret message can be conveyed in such a way that Bob has com- 
plete knowledge of the secret and Eve does not learn anything. In the special 
case where the main channel is noiseless, the secrecy capacity can be achieved 
through a linear coset coding scheme. We summarize the WT Chanel I in 
Figured 
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Figure 3: The Wire- Tap Channel I 
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3.3 The Wire- Tap Channel II 



Ten years later, Ozarow and Wyner introduced a second version of the WT 
Channel [7]- In this model, both main and WT channels are noiseless. This 
time, the disadvantage for Eve is that she can only see messages with erasures: 
she has only access to a limited number of bits per codeword. She is however 
allowed to choose which bits she can learn. We summarize the Wire- Tap Chanel 
II in Figure m 



* Bob 



Alice 



Enc 




chosen bits of c 



Eve 



Figure 4: The Wire- Tap Channel II 



The encoding used in this model is again a coset coding based on a linear 
code C, as in the Wire Tap Channel I with a noiseless main channel. Let d-^ 
denote the minimal distance of the dual C-^ of C. One can prove (see [H] for 
instance) that, if Eve can access less than bits of a codeword, then she gains 
no information at all on the associated message. 

Linear coset-coding for the WT channel can be efficiently implemented using 
LDPC codes [HdS]. 

4 From the Wire- Tap Channel to Non-Malleable 
Codes 

For our construction, we only deal with tampering functions that are bit-wise 
independent. 

4.1 Motivations for Using Wire-Tap 

Roughly speaking, in both models, codewords arc modified either with random 
faults (WT I) , adversary-controlled erasures (WT II) or an adversary-controlled 
tampering function (NMC). From these modified codewords or their decoding 
results, the adversary tries to learn information on the original messages. 

The first WT is a little different from the other models because errors are 
random and so do not occur in the same number and bit positions every time. 
It could however be covered by the definition of NMC if every possible tam- 
pering caused by these random errors were included in the family of tampering 
functions taken into account by the code. 
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Let us now assume that we want to use a linear coset-coding scheme with 
a parity-check matrix H as NMC. We cannot be protected against tampering 
functions that only add errors {i.e. bit- wise independent functions where the 
only choices for each bit are keep or flip). To see why, let J" be a family of 
such functions. Obviously, for each / S J^, there is an error vector e G F2 such 
that Vc £ F2, /(c) — c + e. Let us follow the tampering experiment. Let m G 
be a source message and c an encoding of m. Say c is tampered to c = c -t- e. 
Decoding results in m = H^c + H^e = m + H%. Thus, fh is always m plus a 
constant offset. It is consequently related to m. Linear coset-coding cannot be 
non-malleable w.r.t. these "error-only" functions. There must me some and 

I in the tampering. 

This is why we consider WT IL Lideed, using and 1 on some bits of 
the codewords is, in an information-theoretic sense, like having erasures at the 
corresponding locations, as we do not know what was originally there. As WT 

II guarantees that no information is leaked from erased codewords encoded 
using an appropriate coset-coding scheme, there will be no relation between the 
decoded tampered codeword and the original message. That is what motivates 
our proposal. 

4.2 The Construction 

As discussed before, we consider bit-wise independent functions where the sub- 
functions are not only keep or flip. Nevertheless, we authorize bit-flips because 
if the result of the tampering experiment is unrelated to the original message, 
then the result added to a constant offset will also be unrelated to this message. 
We state the following theorem: 

Theorem 2 (Linear coset-coding as NMC). Let T C he a family of bit- 

wise independent tampering functions such that: 
V/ = (A, ...,/„) e .F, \m = or /, = 1}| > D. 

Let C be a [n, k, d]-linear code such that D > n — d-^, where d^ is the minimal 
distance of its dual code C-^ . 

Then a linear coset-coding using C is non-malleable w.r.t. T . 

4.3 Proof of Non-Malleability 

Our proof of non-malleability is inspired from the proof of security of the WT 
II in [H]. 

Let us consider we are in the situation of Thcorcm[21 Let / = (/i, . . . , /„) G 
7^ be a tampering function. Let 6*01 be the set of all positions i such that fi=0 
or /i = 1. Let S'keep and Smp be the equivalent sets for keep and flip. Let 
e e F2 be such that Vi = 1, . . . , n, = XSflipC*) (where XA denotes the indicator 
function of a set A) and e £ be such that ei — 1 ii fi — 1 and = 
otherwise. Let hi, /i„ denote the columns of the parity-check matrix H . 

Let m S F2 be a message encoded to c £ F2 . Let c = /(c) and rh = He. We 
have 
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TO = ^ hiCi + ^ hiCi + ^ hiCi 

= ^ hiei+ ^ hiCi+ ^ hi{ci + ei) 
= H*e + H*e+ ^ /i^q 

'GSkeepUSflip 

m + H^e + H^e- ^ /liCi) 
If we want to to be unrelated to m, then we want ^ /liC^ to be 

* to keep 

unrelated to to. If the submatrix i?kf made of the columns hi, i € Skeep U S'fiip 
is of full rank r — n — k, then we gain no information on the corresponding 
bits of TO, and all values are equiprobable. This is achieved in particular if 
l^keep U S'flipl < d-^ (see chapter 9 of [H]). 

If > n — d-^, then l^oi] > n — d-^ , i.e. n — |5keep U 5flip| > n — d-"- or 
I'S'keep U S'flipl < d^. The condition of the previous paragraph is thus achieved 
if we use the parameters of Theorem [21 

Let us define more formally the distribution Df associated to /. Let Ki, 
i e Skeep U 5flip be Bcrnoulh(l/2) distributions. Then Df = iJ*e + iJ*e + 
^ hiKi. This distribution and the result of the tampering experiment 

iSSkeepUSflip 

are identically distributed. 

The coset-coding scheme used in Theorem [2] is consequently non-malleable 
w.r.t. J-. 

□ 

4.4 Going Further 

Towards a Larger Family of Tampering Functions 

When comparing our construction to the one of Q], one can relate the LECSS 
and our coset-coding scheme. The only requirement that is not fulfilled by linear 
coset-coding is a large distance. As the distance of linear coset-coding is 1, we 
cannot assume d > n/4 as they do. That is why we cannot directly modify 
this construction and replace LECSS with coset-coding in the description of the 
code and the proof of non-malleability. 

Both LECSS and coset-coding ensure non-malleability when the number of 
or 1 sub-functions of the tampering function is high enough. To deal with the 
case where the number of such functions is low, Dziembowski et al. concatenated 
the LECSS with an AMD code. In such a case, the tampering function acts by 
adding an error following a fixed distribution (i.e. independent of the codeword) 
and the decoding procedure results in ± with high probability because of the 
AMD code. Therefore, non-malleability is ensured. Following this idea, it might 
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also be possible to encapsulate our coset-coding scheme within an error-detecting 
or an error-correcting code. Thus we would achieve non-malleability w.r.t. a 
larger family of functions. In particular, functions with a small number of 
or 1 sub-functions which cannot be dealt with by coset-coding alone could be 
included. For the error-detecting case, using an AMD code as in [5] seems to 
be feasible. However, for the error-correcting case, it is not clear which kind 
of correction strategy to use to deal with the effects of the linear coset-coding 
scheme. Nevertheless, if such functions are the only ones of interest, one must 
be aware that an error correcting or an error detecting code is sufficient by itself. 

Relaxing the Notion of Non-Malleability 

In the model for the WT II described in this paper, we require that Eve cannot 
obtain any bit of information on the messages sent over the channel. This 
strong security notion can be relaxed. Indeed, one could be satisfied even if 
Eve learned only a bounded amount of bits. This is possible if we consider 
generalized Hamming distances JTJ instead of the dual distance of the code 
considered in the linear coset-coding scheme. For z G N, the generalized distance 
di is such that if Eve cannot obtain more than di bits per message, then she 
gains no more than i — 1 bits of information per message. For instance, di = d"*". 

In the same spirit, one could relax the notion of non- malleability. After 
the tampering experiment, we could state that either the decoding procedure 
returns the original message or it enables to learn a bounded number of bits of 
information on this message. Using our construction, it is easy to build another 
scheme that would satisfy this requirement. One would only have to replace 
dual distances by generalized distances. 

5 Conclusion 

We established in this paper a parallel between Non-Malleable Codes and the 
Wire- Tap Channel. This relation enabled us to build an efficient non-malleable 
scheme, w.r.t. a family of bit-wise independent functions, that is neither error- 
correcting nor error-detecting. 

Considering bit-wise independent tampering is a worthwhile first step for 
NMC. An interesting open problem would be now to build schemes that are 
non-malleable w.r.t. larger families of functions. 
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